openstack/kolla-ansible
Code Issues Proposed changes

Support policy.yaml file [part 2]

Browse Source 
- Keystone
- Glance
- Nova
- Cinder

This will copy only yaml or json policy file if they exist.

Change-Id: I4a9415d82322aed68c9b7650bdf346f58fa49e2a
Implements: blueprint support-custom-policy-yaml
Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
This commit is contained in:
Dai Dang Van 2018-01-08 11:21:12 +07:00
parent a9e5836cde
commit d77930373e
30 changed files with 230 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ansible/roles/cinder/handlers/main.yml
View File

@ -5,7 +5,7 @@
service: "{{ cinder_services[service_name] }}" service: "{{ cinder_services[service_name] }}"
config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_api_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_api_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -20,7 +20,7 @@
- config_json.changed | bool - config_json.changed | bool
or cinder_conf.changed | bool or cinder_conf.changed | bool
or wsgi_cinder_api.changed | bool or wsgi_cinder_api.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or cinder_api_container.changed | bool or cinder_api_container.changed | bool
- name: Restart cinder-scheduler container - name: Restart cinder-scheduler container
@ -29,7 +29,7 @@
service: "{{ cinder_services[service_name] }}" service: "{{ cinder_services[service_name] }}"
config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_scheduler_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_scheduler_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -43,7 +43,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or cinder_conf.changed | bool or cinder_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or cinder_scheduler_container.changed | bool or cinder_scheduler_container.changed | bool
- name: Restart cinder-volume container - name: Restart cinder-volume container
@ -52,7 +52,7 @@
service: "{{ cinder_services[service_name] }}" service: "{{ cinder_services[service_name] }}"
config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_volume_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_volume_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -68,7 +68,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or cinder_conf.changed | bool or cinder_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or cinder_volume_container.changed | bool or cinder_volume_container.changed | bool
- name: Restart cinder-backup container - name: Restart cinder-backup container
@ -77,7 +77,7 @@
service: "{{ cinder_services[service_name] }}" service: "{{ cinder_services[service_name] }}"
config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ cinder_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_conf: "{{ cinder_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ cinder_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ cinder_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
cinder_backup_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" cinder_backup_container: "{{ check_cinder_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -92,5 +92,5 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or cinder_conf.changed | bool or cinder_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or cinder_backup_container.changed | bool or cinder_backup_container.changed | bool

32
ansible/roles/cinder/tasks/config.yml
View File

@ -9,6 +9,23 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ cinder_services }}" with_dict: "{{ cinder_services }}"
- name: Check if policies shall be overwritten
local_action: stat path="{{ item }}"
run_once: True
register: cinder_policy
with_first_found:
- files: "{{ supported_policy_format_list }}"
paths:
- "{{ node_custom_config }}/cinder/"
skip: true
- name: Set cinder policy file
set_fact:
cinder_policy_file: "{{ cinder_policy.results.0.stat.path | basename }}"
cinder_policy_file_path: "{{ cinder_policy.results.0.stat.path }}"
when:
- cinder_policy.results
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"
@ -63,18 +80,13 @@
- Restart cinder-volume container - Restart cinder-volume container
- Restart cinder-backup container - Restart cinder-backup container
- name: Check if policies shall be overwritten - name: Copying over existing policy file
local_action: stat path="{{ node_custom_config }}/cinder/policy.json"
run_once: True
register: cinder_policy
- name: Copying over existing policy.json
template: template:
src: "{{ node_custom_config }}/cinder/policy.json" src: "{{ cinder_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/policy.json" dest: "{{ node_config_directory }}/{{ item.key }}/{{ cinder_policy_file }}"
register: cinder_policy_jsons register: cinder_policy_overwriting
when: when:
- cinder_policy.stat.exists - cinder_policy_file is defined
- inventory_hostname in groups[item.value.group] - inventory_hostname in groups[item.value.group]
with_dict: "{{ cinder_services }}" with_dict: "{{ cinder_services }}"
notify: notify:

11
ansible/roles/cinder/templates/cinder-api.json.j2
View File

@ -14,14 +14,13 @@
"dest": "/etc/{{ cinder_dir }}/cinder-wsgi.conf", "dest": "/etc/{{ cinder_dir }}/cinder-wsgi.conf",
"owner": "cinder", "owner": "cinder",
"perm": "0600" "perm": "0600"
}, }{% if cinder_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ cinder_policy_file }}",
"dest": "/etc/cinder/policy.json", "dest": "/etc/cinder/{{ cinder_policy_file }}",
"owner": "cinder", "owner": "cinder",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
], ],
"permissions": [ "permissions": [
{ {

11
ansible/roles/cinder/templates/cinder-backup.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/cinder/cinder.conf", "dest": "/etc/cinder/cinder.conf",
"owner": "cinder", "owner": "cinder",
"perm": "0600" "perm": "0600"
}, }{% if cinder_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ cinder_policy_file }}",
"dest": "/etc/cinder/policy.json", "dest": "/etc/cinder/{{ cinder_policy_file }}",
"owner": "cinder", "owner": "cinder",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}{% if cinder_backend_ceph | bool %},
}{% if cinder_backend_ceph | bool %},
{ {
"source": "{{ container_config_directory }}/ceph.*", "source": "{{ container_config_directory }}/ceph.*",
"dest": "/etc/ceph/", "dest": "/etc/ceph/",

11
ansible/roles/cinder/templates/cinder-scheduler.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/cinder/cinder.conf", "dest": "/etc/cinder/cinder.conf",
"owner": "cinder", "owner": "cinder",
"perm": "0600" "perm": "0600"
}, }{% if cinder_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ cinder_policy_file }}",
"dest": "/etc/cinder/policy.json", "dest": "/etc/cinder/{{ cinder_policy_file }}",
"owner": "cinder", "owner": "cinder",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
], ],
"permissions": [ "permissions": [
{ {

11
ansible/roles/cinder/templates/cinder-volume.json.j2
View File

@ -27,14 +27,13 @@
"owner": "cinder", "owner": "cinder",
"perm": "0600", "perm": "0600",
"optional": {{ (not enable_cinder_backend_nfs | bool) | string | lower }} "optional": {{ (not enable_cinder_backend_nfs | bool) | string | lower }}
}, }{% if cinder_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ cinder_policy_file }}",
"dest": "/etc/cinder/policy.json", "dest": "/etc/cinder/{{ cinder_policy_file }}",
"owner": "cinder", "owner": "cinder",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
], ],
"permissions": [ "permissions": [
{ {

5
ansible/roles/cinder/templates/cinder.conf.j2
View File

@ -68,6 +68,11 @@ topics = notifications
driver = noop driver = noop
{% endif %} {% endif %}
{% if cinder_policy_file is defined %}
[oslo_policy]
policy_file = {{ cinder_policy_file }}
{% endif %}
[nova] [nova]
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
interface = internal interface = internal

8
ansible/roles/glance/handlers/main.yml
View File

@ -5,7 +5,7 @@
service: "{{ glance_services[service_name] }}" service: "{{ glance_services[service_name] }}"
config_json: "{{ glance_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ glance_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
glance_conf: "{{ glance_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" glance_conf: "{{ glance_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ glance_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ glance_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
glance_api_container: "{{ check_glance_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" glance_api_container: "{{ check_glance_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -20,7 +20,7 @@
- config_json.changed | bool - config_json.changed | bool
or glance_conf.changed | bool or glance_conf.changed | bool
or glance_swift_conf.changed | bool or glance_swift_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or glance_api_container.changed | bool or glance_api_container.changed | bool
- name: Restart glance-registry container - name: Restart glance-registry container
@ -29,7 +29,7 @@
service: "{{ glance_services[service_name] }}" service: "{{ glance_services[service_name] }}"
config_json: "{{ glance_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ glance_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
glance_conf: "{{ glance_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" glance_conf: "{{ glance_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ glance_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ glance_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
glance_registry_container: "{{ check_glance_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" glance_registry_container: "{{ check_glance_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -43,6 +43,6 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or glance_conf.changed | bool or glance_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or glance_registry_container.changed | bool or glance_registry_container.changed | bool

32
ansible/roles/glance/tasks/config.yml
View File

@ -22,6 +22,23 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ glance_services }}" with_dict: "{{ glance_services }}"
- name: Check if policies shall be overwritten
local_action: stat path="{{ item }}"
run_once: True
register: glance_policy
with_first_found:
- files: "{{ supported_policy_format_list }}"
paths:
- "{{ node_custom_config }}/glance/"
skip: true
- name: Set glance policy file
set_fact:
glance_policy_file: "{{ glance_policy.results.0.stat.path | basename }}"
glance_policy_file_path: "{{ glance_policy.results.0.stat.path }}"
when:
- glance_policy.results
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"
@ -59,11 +76,6 @@
- Restart glance-api container - Restart glance-api container
- Restart glance-registry container - Restart glance-registry container
- name: Check if policies shall be overwritten
local_action: stat path="{{ node_custom_config }}/glance/policy.json"
run_once: True
register: glance_policy
- name: Copying over glance-swift.conf for glance_api - name: Copying over glance-swift.conf for glance_api
vars: vars:
glance_api: "{{ glance_services['glance-api'] }}" glance_api: "{{ glance_services['glance-api'] }}"
@ -82,15 +94,15 @@
notify: notify:
- Restart glance-api container - Restart glance-api container
- name: Copying over existing policy.json - name: Copying over existing policy file
template: template:
src: "{{ node_custom_config }}/glance/policy.json" src: "{{ glance_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/policy.json" dest: "{{ node_config_directory }}/{{ item.key }}/{{ glance_policy_file_path }}"
mode: "0660" mode: "0660"
become: true become: true
register: glance_policy_jsons register: glance_policy_overwriting
when: when:
- glance_policy.stat.exists - glance_policy_file is defined
- inventory_hostname in groups[item.value.group] - inventory_hostname in groups[item.value.group]
with_dict: "{{ glance_services }}" with_dict: "{{ glance_services }}"
notify: notify:

5
ansible/roles/glance/templates/glance-api.conf.j2
View File

@ -89,6 +89,11 @@ driver = messagingv2
driver = noop driver = noop
{% endif %} {% endif %}
{% if glance_policy_file is defined %}
[oslo_policy]
policy_file = {{ glance_policy_file }}
{% endif %}
{% if enable_osprofiler | bool %} {% if enable_osprofiler | bool %}
[profiler] [profiler]
enabled = true enabled = true

11
ansible/roles/glance/templates/glance-api.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/glance/glance-api.conf", "dest": "/etc/glance/glance-api.conf",
"owner": "glance", "owner": "glance",
"perm": "0600" "perm": "0600"
}, }{% if glance_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ glance_policy_file }}",
"dest": "/etc/glance/policy.json", "dest": "/etc/glance/{{ glance_policy_file }}",
"owner": "glance", "owner": "glance",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}{% if glance_backend_ceph | bool %},
}{% if glance_backend_ceph | bool %},
{ {
"source": "{{ container_config_directory }}/ceph.*", "source": "{{ container_config_directory }}/ceph.*",
"dest": "/etc/ceph/", "dest": "/etc/ceph/",

5
ansible/roles/glance/templates/glance-registry.conf.j2
View File

@ -39,6 +39,11 @@ driver = messagingv2
driver = noop driver = noop
{% endif %} {% endif %}
{% if glance_policy_file is defined %}
[oslo_policy]
policy_file = {{ glance_policy_file }}
{% endif %}
{% if enable_osprofiler | bool %} {% if enable_osprofiler | bool %}
[profiler] [profiler]
enabled = true enabled = true

11
ansible/roles/glance/templates/glance-registry.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/glance/glance-registry.conf", "dest": "/etc/glance/glance-registry.conf",
"owner": "glance", "owner": "glance",
"perm": "0600" "perm": "0600"
}, }{% if glance_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ glance_policy_file }}",
"dest": "/etc/glance/policy.json", "dest": "/etc/glance/{{ glance_policy_file }}",
"owner": "glance", "owner": "glance",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
], ],
"permissions": [ "permissions": [
{ {

8
ansible/roles/keystone/handlers/main.yml
View File

@ -31,7 +31,7 @@
service: "{{ keystone_services[service_name] }}" service: "{{ keystone_services[service_name] }}"
config_json: "{{ keystone_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ keystone_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
keystone_conf: "{{ keystone_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" keystone_conf: "{{ keystone_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ keystone_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ keystone_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
keystone_container: "{{ check_keystone_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" keystone_container: "{{ check_keystone_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -46,7 +46,7 @@
- config_json.changed | bool - config_json.changed | bool
or keystone_conf.changed | bool or keystone_conf.changed | bool
or keystone_domains.changed | bool or keystone_domains.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or keystone_wsgi.changed | bool or keystone_wsgi.changed | bool
or keystone_paste_ini.changed | bool or keystone_paste_ini.changed | bool
or keystone_container.changed | bool or keystone_container.changed | bool
@ -57,7 +57,7 @@
service: "{{ keystone_services[service_name] }}" service: "{{ keystone_services[service_name] }}"
config_json: "{{ keystone_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ keystone_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
keystone_conf: "{{ keystone_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" keystone_conf: "{{ keystone_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ keystone_policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ keystone_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
keystone_fernet_container: "{{ check_keystone_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" keystone_fernet_container: "{{ check_keystone_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -71,7 +71,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or keystone_conf.changed | bool or keystone_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or keystone_fernet_confs.changed | bool or keystone_fernet_confs.changed | bool
or keystone_fernet_container.changed | bool or keystone_fernet_container.changed | bool

24
ansible/roles/keystone/tasks/config.yml
View File

@ -1,8 +1,20 @@
--- ---
- name: Check if policies shall be overwritten - name: Check if policies shall be overwritten
local_action: stat path="{{ node_custom_config }}/keystone/policy.json" local_action: stat path="{{ item }}"
run_once: True run_once: True
register: keystone_policy register: keystone_policy
with_first_found:
- files: "{{ supported_policy_format_list }}"
paths:
- "{{ node_custom_config }}/keystone/"
skip: true
- name: Set keystone policy file
set_fact:
keystone_policy_file: "{{ keystone_policy.results.0.stat.path | basename }}"
keystone_policy_file_path: "{{ keystone_policy.results.0.stat.path }}"
when:
- keystone_policy.results
- name: Check if Keystone Domain specific settings enabled - name: Check if Keystone Domain specific settings enabled
local_action: stat path="{{ node_custom_config }}/keystone/domains" local_action: stat path="{{ node_custom_config }}/keystone/domains"
@ -107,18 +119,18 @@
notify: notify:
- Restart keystone container - Restart keystone container
- name: Copying over existing policy.json - name: Copying over existing policy file
template: template:
src: "{{ node_custom_config }}/keystone/policy.json" src: "{{ keystone_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/policy.json" dest: "{{ node_config_directory }}/{{ item.key }}/{{ keystone_policy_file }}"
mode: "0660" mode: "0660"
become: true become: true
register: keystone_policy_jsons register: keystone_policy_overwriting
when: when:
- inventory_hostname in groups[item.value.group] - inventory_hostname in groups[item.value.group]
- item.key in [ "keystone", "keystone-fernet" ] - item.key in [ "keystone", "keystone-fernet" ]
- item.value.enabled | bool - item.value.enabled | bool
- keystone_policy.stat.exists - keystone_policy_file is defined
with_dict: "{{ keystone_services }}" with_dict: "{{ keystone_services }}"
notify: notify:
- Restart keystone container - Restart keystone container

11
ansible/roles/keystone/templates/keystone-fernet.json.j2
View File

@ -36,13 +36,12 @@
"dest": "/var/lib/keystone/.ssh/id_rsa", "dest": "/var/lib/keystone/.ssh/id_rsa",
"owner": "keystone", "owner": "keystone",
"perm": "0600" "perm": "0600"
}, }{% if keystone_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ keystone_policy_file }}",
"dest": "/etc/keystone/policy.json", "dest": "/etc/keystone/{{ keystone_policy_file }}",
"owner": "keystone", "owner": "keystone",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
] ]
} }

5
ansible/roles/keystone/templates/keystone.conf.j2
View File

@ -13,6 +13,11 @@ use_stderr = True
[oslo_middleware] [oslo_middleware]
enable_proxy_headers_parsing = True enable_proxy_headers_parsing = True
{% if keystone_policy_file is defined %}
[oslo_policy]
policy_file = {{ keystone_policy_file }}
{% endif %}
[database] [database]
connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }} connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}
max_retries = -1 max_retries = -1

11
ansible/roles/keystone/templates/keystone.json.j2
View File

@ -22,14 +22,13 @@
"owner": "keystone", "owner": "keystone",
"perm": "0700", "perm": "0700",
"optional": true "optional": true
}, }{% if keystone_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ keystone_policy_file }}",
"dest": "/etc/keystone/policy.json", "dest": "/etc/keystone/{{ keystone_policy_file }}",
"owner": "keystone", "owner": "keystone",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %},
},
{ {
"source": "{{ container_config_directory }}/wsgi-keystone.conf", "source": "{{ container_config_directory }}/wsgi-keystone.conf",
"dest": "/etc/{{ keystone_dir }}/wsgi-keystone.conf", "dest": "/etc/{{ keystone_dir }}/wsgi-keystone.conf",

40
ansible/roles/nova/handlers/main.yml
View File

@ -54,7 +54,7 @@
service: "{{ nova_services[service_name] }}" service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
placement_api_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" placement_api_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -68,7 +68,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or nova_conf.changed | bool or nova_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or placement_api_wsgi_conf | changed or placement_api_wsgi_conf | changed
or placement_api_container.changed | bool or placement_api_container.changed | bool
@ -78,7 +78,7 @@
service: "{{ nova_services[service_name] }}" service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_api_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_api_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -93,7 +93,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or nova_conf.changed | bool or nova_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or nova_api_container.changed | bool or nova_api_container.changed | bool
- name: Restart nova-scheduler container - name: Restart nova-scheduler container
@ -102,7 +102,7 @@
service: "{{ nova_services[service_name] }}" service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_scheduler_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_scheduler_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -117,7 +117,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or nova_conf.changed | bool or nova_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or nova_scheduler_container.changed | bool or nova_scheduler_container.changed | bool
- name: Restart nova-conductor container - name: Restart nova-conductor container
@ -126,7 +126,7 @@
service: "{{ nova_services[service_name] }}" service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conductor_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conductor_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -141,7 +141,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or nova_conf.changed | bool or nova_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or nova_conductor_container.changed | bool or nova_conductor_container.changed | bool
@ -151,7 +151,7 @@
service: "{{ nova_services[service_name] }}" service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_consoleauth_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_consoleauth_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -166,7 +166,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or nova_conf.changed | bool or nova_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or nova_consoleauth_container.changed | bool or nova_consoleauth_container.changed | bool
- name: Restart nova-novncproxy container - name: Restart nova-novncproxy container
@ -175,7 +175,7 @@
service: "{{ nova_services[service_name] }}" service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_novncproxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_novncproxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -190,7 +190,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or nova_conf.changed | bool or nova_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or nova_novncproxy_container.changed | bool or nova_novncproxy_container.changed | bool
- name: Restart nova-spicehtml5proxy container - name: Restart nova-spicehtml5proxy container
@ -199,7 +199,7 @@
service: "{{ nova_services[service_name] }}" service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_spicehtml5proxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_spicehtml5proxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -214,7 +214,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or nova_conf.changed | bool or nova_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or nova_spicehtml5proxy_container.changed | bool or nova_spicehtml5proxy_container.changed | bool
- name: Restart nova-serialproxy container - name: Restart nova-serialproxy container
@ -223,7 +223,7 @@
service: "{{ nova_services[service_name] }}" service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_serialproxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_serialproxy_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -238,7 +238,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or nova_conf.changed | bool or nova_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or nova_serialproxy_container.changed | bool or nova_serialproxy_container.changed | bool
- name: Restart nova-compute container - name: Restart nova-compute container
@ -247,7 +247,7 @@
service: "{{ nova_services[service_name] }}" service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_compute_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_compute_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -263,7 +263,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or nova_conf.changed | bool or nova_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or vcenter_ca_file | bool or vcenter_ca_file | bool
or nova_compute_container.changed | bool or nova_compute_container.changed | bool
@ -273,7 +273,7 @@
service: "{{ nova_services[service_name] }}" service: "{{ nova_services[service_name] }}"
config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" config_json: "{{ config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_conf: "{{ nova_confs.results|selectattr('item.key', 'equalto', service_name)|first }}"
policy_json: "{{ policy_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}" policy_overwriting: "{{ nova_policy_overwriting.results|selectattr('item.key', 'equalto', service_name)|first }}"
nova_compute_ironic_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}" nova_compute_ironic_container: "{{ check_nova_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
kolla_docker: kolla_docker:
action: "recreate_or_restart_container" action: "recreate_or_restart_container"
@ -288,7 +288,7 @@
- service.enabled | bool - service.enabled | bool
- config_json.changed | bool - config_json.changed | bool
or nova_conf.changed | bool or nova_conf.changed | bool
or policy_json.changed | bool or policy_overwriting.changed | bool
or nova_compute_ironic_container.changed | bool or nova_compute_ironic_container.changed | bool
# nova-compute-fake is special. It will start multi numbers of container # nova-compute-fake is special. It will start multi numbers of container

32
ansible/roles/nova/tasks/config.yml
View File

@ -24,6 +24,23 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ nova_services }}" with_dict: "{{ nova_services }}"
- name: Check if policies shall be overwritten
local_action: stat path="{{ item }}"
run_once: True
register: nova_policy
with_first_found:
- files: "{{ supported_policy_format_list }}"
paths:
- "{{ node_custom_config }}/nova/"
skip: true
- name: Set nova policy file
set_fact:
nova_policy_file: "{{ nova_policy.results.0.stat.path | basename }}"
nova_policy_file_path: "{{ nova_policy.results.0.stat.path }}"
when:
- nova_policy.results
- name: Copying over config.json files for services - name: Copying over config.json files for services
become: true become: true
template: template:
@ -138,12 +155,7 @@
notify: notify:
- Restart nova-compute container - Restart nova-compute container
- name: Check if policies shall be overwritten - name: Copying over existing policy file
local_action: stat path="{{ node_custom_config }}/nova/policy.json"
run_once: True
register: nova_policy
- name: Copying over existing policy.json
become: true become: true
vars: vars:
services_require_policy_json: services_require_policy_json:
@ -158,13 +170,13 @@
- nova-scheduler - nova-scheduler
- nova-spicehtml5proxy - nova-spicehtml5proxy
template: template:
src: "{{ node_custom_config }}/nova/policy.json" src: "{{ nova_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/policy.json" dest: "{{ node_config_directory }}/{{ item.key }}/{{ nova_policy_file }}"
register: policy_jsons register: nova_policy_overwriting
when: when:
- inventory_hostname in groups[item.value.group] - inventory_hostname in groups[item.value.group]
- item.value.enabled | bool - item.value.enabled | bool
- nova_policy.stat.exists - nova_policy_file is defined
- item.key in services_require_policy_json - item.key in services_require_policy_json
with_dict: "{{ nova_services }}" with_dict: "{{ nova_services }}"
notify: notify:

11
ansible/roles/nova/templates/nova-api.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf", "dest": "/etc/nova/nova.conf",
"owner": "nova", "owner": "nova",
"perm": "0600" "perm": "0600"
}, }{% if nova_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/policy.json", "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova", "owner": "nova",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
], ],
"permissions": [ "permissions": [
{ {

11
ansible/roles/nova/templates/nova-compute-ironic.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf", "dest": "/etc/nova/nova.conf",
"owner": "nova", "owner": "nova",
"perm": "0600" "perm": "0600"
}, }{% if nova_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/policy.json", "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova", "owner": "nova",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
], ],
"permissions": [ "permissions": [
{ {

11
ansible/roles/nova/templates/nova-compute.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf", "dest": "/etc/nova/nova.conf",
"owner": "nova", "owner": "nova",
"perm": "0600" "perm": "0600"
}, }{% if nova_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/policy.json", "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova", "owner": "nova",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}{% if nova_backend == "rbd" %},
}{% if nova_backend == "rbd" %},
{ {
"source": "{{ container_config_directory }}/ceph.*", "source": "{{ container_config_directory }}/ceph.*",
"dest": "/etc/ceph/", "dest": "/etc/ceph/",

11
ansible/roles/nova/templates/nova-conductor.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf", "dest": "/etc/nova/nova.conf",
"owner": "nova", "owner": "nova",
"perm": "0600" "perm": "0600"
}, }{% if nova_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/policy.json", "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova", "owner": "nova",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
], ],
"permissions": [ "permissions": [
{ {

11
ansible/roles/nova/templates/nova-consoleauth.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf", "dest": "/etc/nova/nova.conf",
"owner": "nova", "owner": "nova",
"perm": "0600" "perm": "0600"
}, }{% if nova_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/policy.json", "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova", "owner": "nova",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
], ],
"permissions": [ "permissions": [
{ {

11
ansible/roles/nova/templates/nova-novncproxy.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf", "dest": "/etc/nova/nova.conf",
"owner": "nova", "owner": "nova",
"perm": "0600" "perm": "0600"
}, }{% if nova_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/policy.json", "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova", "owner": "nova",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
], ],
"permissions": [ "permissions": [
{ {

11
ansible/roles/nova/templates/nova-scheduler.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf", "dest": "/etc/nova/nova.conf",
"owner": "nova", "owner": "nova",
"perm": "0600" "perm": "0600"
}, }{% if nova_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/policy.json", "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova", "owner": "nova",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
], ],
"permissions": [ "permissions": [
{ {

11
ansible/roles/nova/templates/nova-spicehtml5proxy.json.j2
View File

@ -6,14 +6,13 @@
"dest": "/etc/nova/nova.conf", "dest": "/etc/nova/nova.conf",
"owner": "nova", "owner": "nova",
"perm": "0600" "perm": "0600"
}, }{% if nova_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/policy.json", "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova", "owner": "nova",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %}
}
], ],
"permissions": [ "permissions": [
{ {

5
ansible/roles/nova/templates/nova.conf.j2
View File

@ -215,6 +215,11 @@ topics = {{ nova_enabled_notification_topics | map(attribute='name') | join(',')
driver = noop driver = noop
{% endif %} {% endif %}
{% if nova_policy_file is defined %}
[oslo_policy]
policy_file = {{ nova_policy_file }}
{% endif %}
[privsep_entrypoint] [privsep_entrypoint]
helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf

11
ansible/roles/nova/templates/placement-api.json.j2
View File

@ -8,14 +8,13 @@
"dest": "/etc/nova/nova.conf", "dest": "/etc/nova/nova.conf",
"owner": "nova", "owner": "nova",
"perm": "0600" "perm": "0600"
}, }{% if nova_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/policy.json", "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/policy.json", "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova", "owner": "nova",
"perm": "0600", "perm": "0600"
"optional": true }{% endif %},
},
{ {
"source": "{{ container_config_directory }}/placement-api-wsgi.conf", "source": "{{ container_config_directory }}/placement-api-wsgi.conf",
"dest": "/etc/{{ apache_conf_dir }}/placement-api-wsgi.conf", "dest": "/etc/{{ apache_conf_dir }}/placement-api-wsgi.conf",